odroid-m1-sb: create signed and verified u-boot

Signed-off-by: Michał Iwanicki <[email protected]>

Makefile

@@ -1123,6 +1123,9 @@ endef
 .binman_stamp: $(INPUTS-y) FORCE
 ifeq ($(CONFIG_BINMAN),y)
 	$(call if_changed,binman)
+ifeq ($(CONFIG_SIGN_UBOOT),y)
+	$(objtree)/tools/mkimage -F -k $(CONFIG_KEY_DIRECTORY) u-boot.itb
+endif
 endif
 	@touch $@
 

arch/arm/dts/rockchip-u-boot.dtsi

@@ -30,11 +30,6 @@
 			};
 #endif
 			u-boot-spl {
-                u_boot_spl_pubkey_dtb {
-                    algo = "sha256,rsa4096";
-                    required = "image";
-                    key-name-hint = "dev";
-                };
 			};
 		};
 
@@ -82,10 +77,12 @@
 						algo = "sha256";
 					};
 
+#ifdef CONFIG_SIGN_UBOOT_IMAGES
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 					};
+#endif
 #endif
 				};
 
@@ -108,10 +105,12 @@
 						algo = "sha256";
 					};
 
+#ifdef CONFIG_SIGN_UBOOT_IMAGES
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 					};
+#endif
 #endif
 				};
 				@tee-SEQ {
@@ -133,10 +132,12 @@
 						algo = "sha256";
 					};
 
+#ifdef CONFIG_SIGN_UBOOT_IMAGES
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 					};
+#endif
 #endif
 				};
 #else
@@ -156,10 +157,12 @@
 						algo = "sha256";
 					};
 
+#ifdef CONFIG_SIGN_UBOOT_IMAGES
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 					};
+#endif
 #endif
 				};
 #endif
@@ -173,10 +176,12 @@
 						algo = "sha256";
 					};
 
+#ifdef CONFIG_SIGN_UBOOT_IMAGES
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 					};
+#endif
 #endif
 				};
 			};
@@ -193,13 +198,13 @@
 #endif
 					fit,loadables;
 
-					/*
+#ifdef CONFIG_SIGN_UBOOT_CONF
 					signature {
-						algo = "sha256,rsa2048";
-						key-name-hint = "dev";
+						algo = CONFIG_SIGN_SIGNING_ALGORITHM;
+						key-name-hint = CONFIG_KEY_HINT_NAME;
 						sign-images = "fdt", "firmware", "loadables";
 					};
-					*/
+#endif
 				};
 			};
 		};

arch/arm/mach-rockchip/Kconfig

@@ -528,6 +528,57 @@ config ROCKCHIP_SPI_IMAGE
 config LNX_KRNL_IMG_TEXT_OFFSET_BASE
 	default TEXT_BASE
 
+menuconfig SIGN_UBOOT
+	bool	"Sign U-Boot"
+	depends on SPL_FIT_SIGNATURE
+
+if SIGN_UBOOT
+
+config KEY_DIRECTORY
+	string	"Key directory"
+	default "."
+	help
+	  Directory in which to look for keys
+
+config KEY_HINT_NAME
+	string	"Key hint name"
+	default "dev"
+	help
+	  Private key: CONFIG_KEY_NAME.key
+	  Certificate: CONFIG_KEY_NAME.crt
+
+choice
+	prompt "Which part of U-Boot to sign"
+
+config SIGN_UBOOT_CONF
+	bool	"Sign configuration"
+
+config SIGN_UBOOT_IMAGES
+	bool	"Sign images"
+
+endchoice
+
+config SPL_ADD_PUBLIC_KEY
+	bool	"Add public key to SPL dtb"
+	default n
+
+choice SIGN_SIGNING_ALGORITHM
+	prompt "Crypto algorithm used when signing"
+	default	SIGN_SIGNING_ALGORITHM_SHA256_RSA2048
+
+	config SIGN_SIGNING_ALGORITHM_SHA1_RSA2048
+		bool "SHA1, RSA2048"
+	config SIGN_SIGNING_ALGORITHM_SHA256_RSA2048
+		bool "SHA256, RSA2048"
+endchoice
+
+config SIGN_SIGNING_ALGORITHM
+	string
+	default "sha1,rsa2048" if SIGN_SIGNING_ALGORITHM_SHA1_RSA2048
+	default "sha256,rsa2048" if SIGN_SIGNING_ALGORITHM_SHA256_RSA2048
+
+endif # SIGN_UBOOT
+
 source "arch/arm/mach-rockchip/px30/Kconfig"
 source "arch/arm/mach-rockchip/rk3036/Kconfig"
 source "arch/arm/mach-rockchip/rk3066/Kconfig"

configs/odroid-m1-sb-rk3568_defconfig

@@ -0,0 +1,116 @@
+CONFIG_ARM=y
+CONFIG_SKIP_LOWLEVEL_INIT=y
+CONFIG_COUNTER_FREQUENCY=24000000
+CONFIG_ARCH_ROCKCHIP=y
+CONFIG_TEXT_BASE=0x00a00000
+CONFIG_SPL_LIBCOMMON_SUPPORT=y
+CONFIG_SPL_LIBGENERIC_SUPPORT=y
+CONFIG_NR_DRAM_BANKS=2
+CONFIG_HAS_CUSTOM_SYS_INIT_SP_ADDR=y
+CONFIG_CUSTOM_SYS_INIT_SP_ADDR=0xc00000
+CONFIG_SF_DEFAULT_SPEED=24000000
+CONFIG_SF_DEFAULT_MODE=0x1000
+CONFIG_DEFAULT_DEVICE_TREE="rk3568-odroid-m1"
+CONFIG_ROCKCHIP_RK3568=y
+CONFIG_SPL_ROCKCHIP_COMMON_BOARD=y
+CONFIG_ROCKCHIP_SPI_IMAGE=y
+CONFIG_SIGN_UBOOT=y
+CONFIG_KEY_DIRECTORY="keys"
+CONFIG_SPL_ADD_PUBLIC_KEY=y
+CONFIG_SPL_SERIAL=y
+CONFIG_SPL_STACK_R_ADDR=0x600000
+CONFIG_TARGET_ODROID_M1_RK3568=y
+CONFIG_SPL_STACK=0x400000
+CONFIG_DEBUG_UART_BASE=0xFE660000
+CONFIG_DEBUG_UART_CLOCK=24000000
+CONFIG_SPL_SPI_FLASH_SUPPORT=y
+CONFIG_SPL_SPI=y
+CONFIG_SYS_LOAD_ADDR=0xc00800
+CONFIG_PCI=y
+CONFIG_DEBUG_UART=y
+CONFIG_AHCI=y
+CONFIG_FIT=y
+CONFIG_FIT_VERBOSE=y
+CONFIG_SPL_FIT_SIGNATURE=y
+CONFIG_SPL_LOAD_FIT=y
+CONFIG_LEGACY_IMAGE_FORMAT=y
+CONFIG_DEFAULT_FDT_FILE="rockchip/rk3568-odroid-m1.dtb"
+# CONFIG_DISPLAY_CPUINFO is not set
+CONFIG_DISPLAY_BOARDINFO_LATE=y
+CONFIG_SPL_MAX_SIZE=0x40000
+CONFIG_SPL_PAD_TO=0x7f8000
+CONFIG_SPL_HAS_BSS_LINKER_SECTION=y
+CONFIG_SPL_BSS_START_ADDR=0x4000000
+CONFIG_SPL_BSS_MAX_SIZE=0x4000
+# CONFIG_SPL_RAW_IMAGE_SUPPORT is not set
+# CONFIG_SPL_SHARES_INIT_SP_ADDR is not set
+CONFIG_SPL_STACK_R=y
+CONFIG_SPL_STACK_R_MALLOC_SIMPLE_LEN=0x150000
+CONFIG_SPL_SPI_LOAD=y
+CONFIG_SYS_SPI_U_BOOT_OFFS=0x100000
+CONFIG_SPL_ATF=y
+CONFIG_CMD_GPIO=y
+CONFIG_CMD_GPT=y
+CONFIG_CMD_I2C=y
+CONFIG_CMD_MMC=y
+CONFIG_CMD_MTD=y
+CONFIG_CMD_PCI=y
+CONFIG_CMD_USB=y
+# CONFIG_CMD_SETEXPR is not set
+CONFIG_CMD_INI=y
+CONFIG_CMD_PMIC=y
+CONFIG_CMD_REGULATOR=y
+CONFIG_CMD_CRAMFS=y
+CONFIG_MTDPARTS_DEFAULT="nor0:0x100000(reserved),0x200000(uboot),0x100000(splash),0xc00000(Firmware)"
+# CONFIG_SPL_DOS_PARTITION is not set
+CONFIG_SPL_OF_CONTROL=y
+CONFIG_OF_LIVE=y
+CONFIG_OF_SPL_REMOVE_PROPS="clock-names interrupt-parent assigned-clocks assigned-clock-rates assigned-clock-parents"
+CONFIG_SPL_DM_SEQ_ALIAS=y
+CONFIG_SPL_REGMAP=y
+CONFIG_SPL_SYSCON=y
+CONFIG_AHCI_PCI=y
+CONFIG_DWC_AHCI=y
+CONFIG_SPL_CLK=y
+CONFIG_ROCKCHIP_GPIO=y
+CONFIG_SYS_I2C_ROCKCHIP=y
+CONFIG_MISC=y
+CONFIG_SUPPORT_EMMC_RPMB=y
+CONFIG_MMC_DW=y
+CONFIG_MMC_DW_ROCKCHIP=y
+CONFIG_MMC_SDHCI=y
+CONFIG_MMC_SDHCI_SDMA=y
+CONFIG_MMC_SDHCI_ROCKCHIP=y
+CONFIG_SF_DEFAULT_BUS=4
+CONFIG_SPI_FLASH_SFDP_SUPPORT=y
+CONFIG_SPI_FLASH_MACRONIX=y
+CONFIG_SPI_FLASH_MTD=y
+CONFIG_PHY_REALTEK=y
+CONFIG_DWC_ETH_QOS=y
+CONFIG_DWC_ETH_QOS_ROCKCHIP=y
+CONFIG_NVME_PCI=y
+CONFIG_PCIE_DW_ROCKCHIP=y
+CONFIG_PHY_ROCKCHIP_INNO_USB2=y
+CONFIG_PHY_ROCKCHIP_NANENG_COMBOPHY=y
+CONFIG_SPL_PINCTRL=y
+CONFIG_DM_PMIC=y
+CONFIG_PMIC_RK8XX=y
+CONFIG_REGULATOR_RK8XX=y
+CONFIG_PWM_ROCKCHIP=y
+CONFIG_SPL_RAM=y
+CONFIG_SCSI=y
+CONFIG_BAUDRATE=1500000
+CONFIG_DEBUG_UART_SHIFT=2
+CONFIG_SYS_NS16550_MEM32=y
+CONFIG_ROCKCHIP_SFC=y
+CONFIG_SYSRESET=y
+CONFIG_USB=y
+CONFIG_USB_XHCI_HCD=y
+CONFIG_USB_EHCI_HCD=y
+CONFIG_USB_EHCI_GENERIC=y
+CONFIG_USB_OHCI_HCD=y
+CONFIG_USB_OHCI_GENERIC=y
+CONFIG_USB_DWC3=y
+CONFIG_USB_DWC3_GENERIC=y
+CONFIG_FS_CRAMFS=y
+CONFIG_ERRNO_STR=y

dts/Makefile

@@ -19,6 +19,9 @@ endif
 $(obj)/dt-$(SPL_NAME).dtb: dts/dt.dtb $(objtree)/tools/fdtgrep FORCE
 	mkdir -p $(dir $@)
 	$(call if_changed,fdtgrep)
+ifeq ($(CONFIG_SPL_ADD_PUBLIC_KEY),y)
+	$(call if_changed,fdt_add_pubkey)
+endif
 
 ifeq ($(CONFIG_OF_DTB_PROPS_REMOVE),y)
 $(obj)/dt.dtb: $(DTB) $(objtree)/tools/fdtgrep FORCE

scripts/Makefile.lib

@@ -691,3 +691,14 @@ define filechk_offsets
 	 echo ""; \
 	 echo "#endif" )
 endef
+
+ifeq ($(CONFIG_SIGN_UBOOT_IMAGES),y)
+spl_require_value=image
+else
+spl_require_value=conf
+endif
+
+quiet_cmd_fdt_add_pubkey = FDT_ADD_PUBKEY $@
+      cmd_fdt_add_pubkey = $(objtree)/tools/fdt_add_pubkey \
+	    -a $(CONFIG_SIGN_SIGNING_ALGORITHM) -k $(CONFIG_KEY_DIRECTORY) \
+		-r $(spl_require_value) -n $(CONFIG_KEY_HINT_NAME) $@